CVE-2019-18679 — Sensitive Information Exposure in Squid

CWE-200 — Sensitive Information Exposure9 documents8 sources

Severity

7.5HIGHNVD

EPSS

38.4%

top 2.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Canonical Ubuntu Linux +2 more

Timeline

PublishedNov 26

Latest updateMay 24

Description

An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debiansquid/squid< 4.9-1+3

▶NVDsquid-cache/squid2.0 — 2.7+3

Also affects: Debian Linux 8.0, Fedora 30, 31, Ubuntu Linux 16.04, 18.04, 19.04, 19.10

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4h4q-q4v8-2vq3: An issue was discovered in Squid 2↗2022-05-24

▶

OSV

CVE-2019-18679: An issue was discovered in Squid 2↗2019-11-26

▶

CVEList

CVE-2019-18679: An issue was discovered in Squid 2↗2019-11-26

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2019-12-04

▶

Red Hat

squid: Information Disclosure issue in HTTP Digest Authentication↗2019-11-05

▶

Debian

CVE-2019-18679: squid - An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect...↗2019

▶

💬Community

Bugzilla

CVE-2019-18679 squid: Information Disclosure issue in HTTP Digest Authentication [fedora-all]↗2019-11-08

▶

Bugzilla

CVE-2019-18679 squid: Information Disclosure issue in HTTP Digest Authentication↗2019-11-08

▶